17 WordPress Plugins Have Security Vulnerabilities

Here are some of most common WordPress Plugins have XSS security vulnerabilities need to update immediately. Let’s check and fix in as soon as possible.


Last week, security firm Sucuri has discovered that a large number of WordPress plugins have security vulnerabilities (XSS Vulnerability) allowing hackers access to websites running outdated versions of these plugins. After worked with the WordPress core security team, They have listed 17 WordPress Plugins Have Security Vulnerabilities need to update for a WordPress website. This is not means a complete list vulnerable Plugins to Cross-site Scripting but it is popular plugins used by many webmasters.

List Plugins Have Security Vulnerabilities:

Jetpack WordPress Plugin

The vulnerability Sucuri discovered would allow an attacker to send a WordPress user with administrative rights a link which could execute malicious JavaScript. The vulnerability was introduced in Jetpack 3.0 and to date we have no evidence of this being exploited. However, now that this update is public, it’s more likely that exploits may occur. To avoid a breach, you should update your site as soon as possible.

WordPress SEO plugin and Google Analytics by Yoast plugin

The main issue are wrong usage of add_query_arg and remove_query_arg. It have in both our WordPress SEO plugin and Google Analytics by Yoast plugin.

All In one SEO WordPress Plugin

Patched security vulnerability with use of add_query_arg (https://codex.wordpress.org/Function_Reference/add_query_arg) reported by Joost de Valk

Gravity Forms WordPress Plugin

The security issue that Gravity Forms have patched is minor and not something that can be exploited without the user having admin access to your WordPress Dashboard. However, this may not be the case with the many other plugins that may be impacted.

Easy Digital Downloads WordPress Plugin

Easy Digital Downloads update resolves a security vulnerability due to improper usage of the add_query_arg() function, there were several locations in Easy Digital Downloads that were possibly susceptible to Cross-site Scripting attacks.

UpdraftPlus WordPress Plugin

In UpdraftPlus, the danger is as follows: an attacker would need to a) send you a specially crafted link, and b) persuade you to click on it, on a computer on which you are also logged in to the WordPress dashboard on your site, with admin privileges. If you clicked on that link, then the attacker could run code in your dashboard page one time (i.e. not persistent – it won’t remain in your dashboard), performing UpdraftPlus administrative actions (e.g. download a backup, run a backup, delete a backup). We do not believe that there is a way for an attacker to upload and restore their own backup. (i.e. They cannot modify your site through injecting and restoring their own backups).

WP-E-Commerce WordPress Plugin

Fix potential reflexive XSS issue with add_query_arg() and remove_query_arg() usage. Update is highly recommended.

WPtouch Mobile WordPress Plugin

Fixed: add_query_arg/remove_query_arg vulnerability

Download Monitor WordPress Plugin and Related Posts for WordPress

Download Monitor WordPress Plugin and Related Posts for WordPress have this vulnerability in the WordPress backend meaning the XSS vulnerability could only be exploited if a logged in user would click a malicious link while being logged in.

My Calendar WordPress Plugin

If you’re currently running any version in the 2.3.x branch of My Calendar, your site is vulnerable. If you’re on an older version of My Calendar, you are not vulnerable to this security issue, but you may be vulnerable to a security issue I fixed in version 2.3.10.

P3 (Plugin Performance Profiler) WordPress Plugin

Security update: Escape URLs returned by add_query_arg and remove_query_arg

Give – Democratizing Generosity WordPress Plugin

Security: Hardened URLs with esc_url() across the plugin core

Multiple iThemes products including Builder and Exchange

The main issue iThemes are fixing with this release is the wrong usage of add_query_arg and remove_query_arg functions used in these plugins and themes. The WordPress functions add_query_var() and remove_query_var() were assumed to produce a safe to use URL, but that’s not always the case. Carefully crafted URLs could result in what is called reflected XSS, which basically means that when the dangerous URL is accessed, some javascript could be injected into the page and run.

Broken Link Checker WordPress Plugin

Fixed a serious CSRF/XSS vulnerability.

Ninja Forms WordPress Plugin

The vulnerability only affected pages within the wp-admin. That means that a user would need to be logged-in as an admin before they could do anything malicious.


Source from: Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.